First Bus and Metrolink Manchester’s ticket app hacked

Claiming disgruntlement with private control of public transport a hacker collective made a copy of First Bus Manchester’s ticket app and reverse engineered it. In the process they discovered that the RSA private keys to sign the QR code were embedded in the app itself.

Both the First Bus app and the Metrolink app, were developed by Corethree, a company that makes mobile ticketing apps.

Rather than disclosing the issue to the developer the hacker collective has released a ride-buses-for-free code.

The group believes that public transport should be free to all and this is the reasoning for going public with the findings, adding that the research is its “contribution to get us closer to that end”.

We, the Public Transport Pirate Association of the United Kingdom are releasing our research on reverse engineering public transportation tickets in most major UK cities (excl. London.)

The reason we’ve decided not to go down the responsible disclosure path is being strong believers in public transportation being a common good that should be free for everyone, and this research is our contribution to get us closer to that end.

The initial release focuses on the Greater Manchester area, but can be easily adapted to other transportation networks that use the corethree middleware for their electronic tickets.

The security of the corethree apps is laughable at best, we could tell you guys really tried, but in the end focused too much on low-tech threats (i.e. taking a screenshot of a ticket and sending it to a friend) to be much of a challenge to even a novice hacker/reverse engineer. We’d especially like to thank you for including the private RSA keys to sign the QR codes in the First Bus m-ticket app.